iv
About the Authors
John F. Roland, CCNA, CCDA, CCNP, CCDP, CSS-1, MCSE, is a security specialist who works for Ajilon Consulting.
John has worked in the IT ﬁeld for more than 22 years, from COBOL programming on IBM mainframes to LAN/WAN
design and implementation on United States military networks and, more recently, to the development of Cisco and
Microsoft certiﬁcation training materials. John’s current assignment has him designing and implementing enterprise
network certiﬁcation testing at one of the largest banks in America.
John holds a bachelor’s degree in accounting from Tifﬁn University, Tifﬁn, Ohio, with minors in math and electrical
engineering from General Motors Institute, Flint, Michigan.
Mark J. Newcomb is the owner and lead security engineer for Secure Networks in Spokane, Washington. Mark has
over 20 years of experience in the networking industry, focusing on the ﬁnancial and medical industries. The last six
years have been devoted to designing security solutions for a wide variety of clients throughout the Paciﬁc Northwest.
Mark was one of the ﬁrst people to obtain the CCNA certiﬁcation from Cisco and has since obtained CCDA, CCNP, and
CCDP certiﬁcations. He is the co-author of Cisco Secure Internet Security Solutions, published by Cisco Press, and two
other networking books. He has been a technical reviewer on over 20 texts regarding networking for a variety of pub-
lishers. He can be reached by e-mail at mnewcomb@wanlansecurity.com.
About the Technical Reviewers
Scott Chen has worked in the IT ﬁeld for the past seven years holding various positions, including senior NT engineer,
senior network engineer, and lead network engineer/network manager. Scott is currently a lead network engineer/net-
work manager at Triad Financial Corporation, which is a wholly owned subsidiary of Ford Motor. He has implemented
VPN solutions for remote access and LAN-to-LAN for several enterprises. Scott has extensive experience designing,
implementing, and supporting enterprise networks and working with various technologies that Cisco offers, including
routing, switching, security, content switching, wireless, BGP, EIGRP, and NAT. Scott graduated from the University of
California, Irvine, with a bachelor’s degree. He also holds several certiﬁcations, including MCSE, CCNA, CCNP, and
CCIE Written/Qualiﬁcation. Scott can be reached through e-mail at scottchen@cox.net.
Gert Schauwers is a triple Cisco Certiﬁed Internet Expert (CCIE No. 6942)—Routing and Switching, Security, and
Communication and Services. He has more than four years experience in internetworking and holds an Engineering
degree in Electronics/Communication. Gert is currently working in the Brussels CCIE lab where he’s a proctor and
content engineer for the Routing and Switching, Security, and Communication and Services exams.
Thomas Scire has been working in the network infrastructure industry since 1996. Thomas specializes in LAN, WAN,
security, and multiservice infrastructure from Cisco Systems, Checkpoint, and Nokia. Thomas works for Accudata Sys-
tems, Inc., an independent IT professional services and solutions ﬁrm that specializes in enterprise network and security
infrastructure. Some of his more notable projects include enterprise VPN and IP telephony deployments and an interna-
tional Voice over Frame Relay network deployment. Thomas holds a bachelor’s degree in Computer Engineering from
Polytechnic University and holds several certiﬁcations, including Cisco CCNA/CCDA, Cisco IP Telephony Design
Specialist, Checkpoint Certiﬁed Security Engineer, Checkpoint Certiﬁed Security Instructor, and Nokia Security
Administrator.

v
Dedications
From John Roland:
This book is dedicated to my wife of 28 years, Mariko, and to our son, Michael, for their understanding and support.
Their steady love and encouragement has kept me on target through some trying times during the development of this
book. You’re the greatest! I further dedicate this book to my late parents, Hazel and Forrest Roland, for nurturing me,
teaching me right from wrong, setting a shining example of a loving partnership, and showing me the beneﬁts of a good
day’s work. I like to believe that they will be kicking up their heels together throughout eternity.
From Mark Newcomb:
This book is dedicated to my wife, Jacqueline, and my daughter, Isabella Rumiana. Jacqueline’s patience and under-
standing while I am in the process of writing never fails to amaze me.

vi
Acknowledgments
From John Roland:
Writing this book has provided me with an opportunity to work with some very ﬁne individuals. I want to thank Brett
Bartow from Cisco Press for believing in the project and for getting the ball rolling. I would also like to thank him for
turning this project over to Michelle Grandin, Cisco Press, for editorial support. Michelle helped me in many ways dur-
ing this project and was always there to lend an encouraging word or a guiding hand. Dayna Isley, Cisco Press, provided
developmental guidance and feedback and was way too easy on my less-than-perfect submissions, and I want to thank
her for turning the work into a professional document. It has been a real pleasure to work with you three over these
several months.
Next, I would like to thank my co-author, Mark Newcomb, for stepping in to author half of this book when personal
problems brought me to a standstill. Thank you, Mark, for your professionalism and expertise and for helping to bring
this project to fruition.
I would also like to thank the technical reviewers, Gert Schauwers, Scott Chen, and Thomas Scire for their comments,
suggestions, and careful attention to detail. Without their help, this book would not be the valuable resource that it
has become. Thank you all.
From Mark Newcomb:
I heartily acknowledge John Roland’s contribution to this effort and thank him for inviting me to assist in this endeavor.
No text of any size is ever truly a work of just the authors. After nearly ﬁve years of writing, technical editing, and work-
ing with a variety of publishers, I commend every employee of Cisco Press. Michelle Grandin, Dayna Isley, John Kane,
and Brett Bartow are people at Cisco Press I have come to know and respect for their professional efforts. I also want to
give special thanks to Tammi Ross. Within any organization, there is one individual that seems to be able to solve any
unsolvable problem. Tammi has proven herself to be that person at Cisco Press.
The technical reviewers working with Cisco Press are world class. Technical reviewers are the most valuable assets a
good publisher can have. They do not receive the recognition or compensation that they so richly deserve. I thank Gert
Schauwers, Scott Chen, and Thomas Scire for their efforts to make this work what it is today.

xvii
Introduction
The Cisco Systems series of certiﬁcations provide you with a means of validating your expertise in certain core
areas of study to current or prospective employers and to your peers. More network professionals are pursu-
ing the Cisco Certiﬁed Security Professional (CCSP) certiﬁcation because network security has become a
critical element in the overall security plan of 21st-century businesses. This book is designed to help you
attain this prestigious certiﬁcation.
Goals and Methods
The primary goal of this book is to help you prepare to pass either the 9E0-121 or 642-511 Cisco Secure
VPN (CSVPN) exams as you strive to attain the CCSP certiﬁcation or a focused VPN certiﬁcation. Adhering
to the premise that, as individuals, we each retain information better through different media, this book provides
a variety of formats to help you succeed in passing this exam. Questions make up a signiﬁcant portion of
this book, because they are what you are confronted with on the exam and because they are a useful way
to gauge your understanding of the material. The accompanying CD-ROM provides additional questions to
help you with your exam preparation.
Along with the extensive and comprehensive questions within this book and on the CD, this book also cov-
ers all the published topics for the exam in detail, using charts, diagrams, and screenshots as appropriate to
help you understand the concepts. The book assumes that you have a moderate understanding of networking
(Cisco’s prerequisite for CCSP certiﬁcation is that you possess the CCNA certiﬁcation and pass ﬁve addi-
tional exams), and does not attempt to bore you with material that you should already know. Some pub-
lished topics are stated with the assumption that you possess certain knowledge that the CCNA certiﬁcation
did not bestow upon you. In those cases, this book attempts to ﬁll in the missing material to catch you up to
the material covered by the exam topic. Because this is an exam certiﬁcation guide, the goal is to provide
you with enough information to understand the published topics and to pass the exam, in effect right-sizing
the material to the topics of the exam.
This book can help you pass the Cisco Secure VPN exam using the following methods:
• Self-assessment questions at the beginning of each chapter help you discover what you need to study.
• Detailed topic material is provided to clarify points that you might not already understand.
• End-of-chapter exercises and scenarios help you determine what you learned from the chapter’s material.
• Additional questions on the CD give you a chance to look at the material from different perspectives.
Who Should Read This Book?
This book was designed as an aid to help you pass the CCSP Cisco Secure VPN exam. Because that is the
primary goal of this book, it stands to reason that the CCSP candidate will derive the most beneﬁt from this
book. Everyone who attempts to obtain the CCSP certiﬁcation must take the Cisco Secure VPN exam, mak-
ing every CCSP candidate a potential beneﬁciary of the material in this book.

xviii
That doesn’t mean that this is just another one of those cramming aids that you use to pass the test and then
place on your shelf to collect dust. The material covered in this book provides practical solutions to 80–90%
of the VPN conﬁguration challenges that you can encounter in your day-to-day networking experiences.
This book can become a valuable reference tool for the security-conscious network manager. Designers can
also ﬁnd the foundation material and foundation summaries valuable aids for network design projects.
The Organization of This Book
Although this book could be read cover to cover, it is designed to be ﬂexible and allows you to easily move
between chapters and sections of chapters to cover just the material that you need more work with. Chapter
1 provides an overview of the CCSP certiﬁcation and offers some strategies for how to prepare for the
exams. Chapters 2 through 11 are the core chapters and can be covered in any order. If you intend to read
all the chapters, their order in this book is an excellent sequence to use.
The core chapters—Chapters 2 through 11—cover the following topics:
• Chapter 2, “Overview of VPN and IPSec Technologies”—This chapter discusses VPN protocols and
concepts, concentrating on the IPSec protocol. Exam objectives covered in this chapter include the
following:
— 1 Cisco products enable a secure VPN
— 2 IPSec overview
— 3 IPSec protocol framework
— 4 How IPSec works
• Chapter 3, “Cisco VPN 3000 Concentrator Series Hardware Overview”—This chapter looks at the
Cisco VPN 3000 Concentrator Series and describes the capabilities of each VPN concentrator model.
Exam objectives covered in this chapter include the following:
— 5 Overview of the Cisco VPN 3000 Concentrator Series
— 6 Cisco VPN 3000 Concentrator Series models
— 7 Beneﬁts and features of the Cisco VPN 3000 Concentrator Series
— 8 Cisco VPN 3000 Concentrator Series Client support
• Chapter 4, “Conﬁguring Cisco VPN 3000 for Remote Access Using Preshared Keys”—This chapter
describes the process of conﬁguring VPN concentrators for remote access with preshared keys. Initial CLI
and browser conﬁguration of the concentrator are covered. Advanced conﬁguration issues are discussed.
Installation and conﬁguration of the Cisco VPN Client for Windows is also discussed in this chapter.
Exam objectives covered in this chapter include the following:
— 9 Overview of remote access using preshared keys
— 10 Initial conﬁguration of the Cisco VPN 3000 Concentrator Series for remote access
— 11 Browser conﬁguration of the Cisco VPN 3000 Concentrator Series
— 12 Conﬁguring users and groups
— 13 Advanced conﬁguration of the Cisco VPN 3000 Series Concentrator
— 14 Conﬁguring the IPSec Windows Client